Ubuntu 16 + Nginx + PHP-FPM + MariaDB + Memcached
sudo apt-get update
sudo apt-get upgrade
sudo swapon -s
https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
Создать нового пользователя и добавить его в группу sudo:
adduser username
adduser username sudo
Сменить ssh-порт по умолчанию (вместо 22) и запретить логин под root
sudo nano /etc/ssh/sshd_config
Port 22
PermitRootLogin no
Перезагрузить ssh
$ sudo service ssh restart
и залогиниться под новым пользователем.
TODO: авторизация по ssh-ключам
sudo apt-get install ufw
Базовый набор правил
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
Доступ по SHH (указать правильный порт)
sudo ufw allow ssh
или
sudo ufw allow 22/tcp
Веб-сервер и ftp
sudo ufw allow www или sudo ufw allow 80/tcp
sudo ufw allow ftp или sudo ufw allow 21/tcp
sudo apt-get install fail2ban
TODO: настроить https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04
Настройка временной зоны
sudo dpkg-reconfigure tzdata
TODO: logrotate и logwatch
sudo nano /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
vm.swappiness=10
sudo apt-get install nginx
sudo apt-get install php-fpm php-mysql php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc
Устранение уязвимости php
sudo nano /etc/php/7.0/fpm/php.ini
cgi.fix_pathinfo=0
sudo service php7.0-fpm restart
sudo apt-get install memcached php-memcache
sudo apt-get install mariadb-server mariadb-client
sudo apt-get install -y vsftpd
sudo nano /etc/vsftpd.conf
write_enable=YES
service vsftpd restart
sudo nano /etc/nginx/nginx.conf
worker_processes 1; # равно количеству ядер процессора
pid /var/run/nginx.pid;
timer_resolution 100ms;
worker_rlimit_nofile 8192;
worker_priority -5;
events {
worker_connections 1024;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
keepalive_timeout 30;
keepalive_requests 100;
reset_timedout_connection on;
send_timeout 10;
client_header_timeout 10;
client_body_timeout 10;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1m;
large_client_header_buffers 4 8k;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log off;
error_log /var/log/nginx/error.log crit;
gzip on;
gzip_disable "msie6";
gzip_min_length 1100;
gzip_buffers 64 8k;
gzip_comp_level 3;
gzip_http_version 1.1;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
include /etc/nginx/conf.d/*.conf;
}
sudo systemctl restart nginx
sudo usermod -aG www-data username
sudo chown -R www-data:www-data /home/username/example.com/public_html
sudo chmod -R 0775 /home/username/example.com/public_html
sudo find /home/username/example.com/public_html -type d -exec chmod 755 {} \;
sudo find /home/username/example.com/public_html -type f -exec chmod 644 {} \;
mkdir /home/username/example.com/logs/
touch /home/username/example.com/logs/error.log
touch /home/username/example.com/logs/access.log
sudo nano /etc/nginx/sites-available/example.com
server {
listen 80;
server_name www.example.com;
rewrite ^ http://example.com$request_uri? permanent; #301 redirect
}
server {
listen 80;
server_name example.com;
root /home/username/example.com/public_html;
index index.php index.html;
error_log /home/username/example.com/logs/error.log;
access_log /home/username/example.com/logs/access.log;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
return 404;
}
location ~ /wp-config.php {
deny all;
return 404;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~*^.+.(jpg|jpeg|gif|png|ico|css|bmp|swf|js|mov|avi|mp4|mpeg4)$ {
access_log off;
expires 30d;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com